Tracker: Platform Configuration

Windows

Tracker uses the Event Log service on Windows. This section describes how to set up Audit Policy for the service to create event logs required by Tracker. Both graphical user interface (GUI) and command line interface (CLI) methods will be introduced. We also introduce a PowerShell script for those who need a quick setup.

Powershell Script

We provide a PowerShell script with which you can easily enable or disable Audit Policy required by Tracker. If you want to know what exactly the script does, it would be helpful to read the rest of this instruction. Otherwise, just execute the script. When you run the script, you will need a file (represented by TARGET in the script) that contains a list of directories to audit. You may need to use Set-ExecutionPolicy to execute the script.

Linux

Tracker uses the Linux Auditing System on Linux.

No existing rule should prevent from generating audit events. On some Linux distributions, such as Fedora, the initial audit rule may contain -a never,task that suppresses event generations. To see and remove existing audit rules, use below commands:

sudo auditctl -l # To see a list of current rules
sudo auditctl -D # To delete all the current rules

If you use the Linux Auditing System for any other purposes, conflicts may occur. Note that once you run Tracker, all audit events are sent to it, not to auditd any more. If you want to use auditd again after terminating Tracker, you should restart auditd as follows:

sudo service auditd restart

If auditd doesn't work with Tracker, you may need to kill '/sbin/auditd -n' process first (in Ubuntu).

OSX

The program uses the OpenBSM audit facility on OSX. Add pc, cl, fr, fw classes into flags and naflags on /etc/security/audit_control. You need root privileges to access it. The new configuration will be effective after reboot. Below is an example of configuration.